[Opendnssec-user] [hsm] unable to get key

Abdulkareem H. Ali kareem.ali at centralnic.com
Tue Feb 12 10:14:58 UTC 2019 

Hi Stephane,


Just restart ods-signerd.


I suffer from same bug, it happens when ODS generates a new key
automatically with key rollovers. I've debugged and troubleshooted this
issue even with our support partners but couldn't find a fix. It would
great if someone who has an idea what the fix could be who can help us.


Our setup is ODS running on Centos 7 boxes with Thales HSMs as backend.


To make it happen less, I pregenerate ZSKs and leave them in our
storage, and then restart ods-signerd after generating the keys. It will
give you a peace of mind for a while, until the key storage runs out and
a rollover will generate a new key, in which case you'll have to restart
ods-signerd again.


HTH

Kareem.



On 12/02/2019 10:09, Stephane Bortzmeyer wrote:
> One of my zones (I have several on the same OpenDNS instance, the
> others seem to work) is no longer signed. The log says:
>
> Feb 12 11:00:47 server ods-signerd[472]: ObjectFile.cpp(122): The attribute does not exist: 0x00000002
> Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: key 548a9238dd2b608c488ddb6ba08796fb not found
> Feb 12 11:00:47 server ods-signerd[472]: [hsm] hsm_get_dnskey(): Got NULL key
> Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: hsm failed to create dnskey
> Feb 12 11:00:47 server ods-signerd[472]: [zone] unable to publish dnskeys for zone cyberstructure.fr: error creating dnskey
> Feb 12 11:00:47 server ods-signerd[472]: [tools] unable to read zone cyberstructure.fr: failed to publish dnskeys (General error)
> Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] CRITICAL: failed to sign zone cyberstructure.fr: General error
> Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] backoff task [read] for zone cyberstructure.fr with 3600 seconds
>
> Checking the keys:
>
> % sudo ods-enforcer key list --zone cyberstructure.fr --verbose
> Keys:
> Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
> cyberstructure.fr               ZSK      retire    2019-02-23 10:46:20      1024  8          8c88bea6d5f6ccefec67648a37ef6b86 SoftHSM     14454
> cyberstructure.fr               KSK      active    2019-02-23 10:46:20      2048  8          2d63a8cc9f68602d5b98f2bcb2714119 SoftHSM     63130
> cyberstructure.fr               ZSK      ready     2019-02-23 10:46:20      1024  8          548a9238dd2b608c488ddb6ba08796fb SoftHSM     17148
> key list completed in 0 seconds.
>
> I see that the "not found" key is the current ZSK, which is bad.
>
> First, an emergency: how to solve the problem before the expiration of
> signatures? Can I force a "rollover" of the ZSK and, if so, how?
>
> Then, longer term: what happened?
>
> OpenDNSSEC 2.0.4 running on Debian "stretch" (stable). "HSM" is
> SoftHSM 2.2.0.
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-- 
Abdulkareem H. Ali
Operations Team Leader
CentralNic Group PLC
London Stock Exchange Symbol: CNIC

+44 20 3388 0600
www.CentralNic.com

CentralNic Group PLC is a company registered in England and Wales with
company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R
6AR.

More information about the Opendnssec-user mailing list